EU Privacy Reform – First Q&A from EC

The EU Privacy reform was agreed last week and the European Commission has now published the first Q&A clarifying some changes of this data protection revolution.

I had covered in a previous post the breaking news about the agreement reached at the European level on the privacy reform. I am working on a series of posts on the most “hot” topics of the new data protection regulation, but the European Commission has now published the first questions and answers on the topic. Below is my interpretation of some of the questions raised by the European Commission:

Why did the Commission propose a reform of the EU privacy rules?

The position of the European Commission is that the goal is to avoid the inconsistency among European data protection regulations across the European Union deriving from the implementation of the EU Directive 95/EU and to modernize the rules in a digital world. The EU privacy regulation is directly enforceable and therefore no implementation is “in theory” required

BUT

The regulation still leaves some “gray areas” that will need local implementation. And indeed, one of the current questions is whether the whole local data protection law shall be fully repealed since it was mainly the implementation of the EU Directive 95/46 or some of its provisions shall survive cross referring to the regulation. Also, the approach followed in the latest version of the regulation on the “one-stop shop” rule still leaves a considerable control to local data protection authorities.

Will cross border businesses have to deal with a single privacy law? And what about non-EU entities?

The previous question is linked to this issue. There will be a single piece of legislation setting data protection rules across the whole European Union with savings for companies that are estimated in the range of € 2.3 billion a year.

Companies established in more than one EU Member State or established in a single EU Member State (or having a processor established in a EU Member Sate), but performing data processing activities in the Union that substantially affect or are likely to substantially affect individuals in more than one Member State will have to deal with a lead data protection authority rather than with 28 different authorities under the “one stop shop rule“

BUT

considerable exceptions have been introduced as to matters that are more relevant locally and therefore shall be dealt by the local privacy authority which in any case shall cooperate and agree any decision with the lead authority. A relevant issue is therefore whether such complex structure will really simplify the life of companies and how such “cooperation” will actually work.

And this is an issue also for non-EU entities that either offer their products/services in the European Union or monitor (e.g. by means of cookies) the behavior of individuals located in the EU.

which provides that data controllers “shall be responsible for and be able to demonstrate compliance” with the data protection principles provided by the regulation. This means that the burden on proof of showing privacy compliance will be on data controllers and in this respect the arrangement of documentation showing

the compliance with the principles of privacy by design and by default and security by design will be crucial